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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

In re Application of: Hiang-S wee Chiang Confirmation No.: 1362 



For: Transparent User And Session Management For Web Application 

Mail Stop Appeal-Brief Patents 
Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 



APPELLANT'S REPLY BRIEF PURSUANT TO 37 C.F.R. § 41.41 

This Reply Brief is filed in response to Examiner's Answer mailed December 13, 
2007, and in further support of Appellant's appeal from the rejections of claims 1 through78 
dated May 31, 2006. A Notice of Appeal was filed on November 30, 2006 and an Appeal 
Brief was submitted March 6, 2007 (and resubmitted on October 24, 2007). 

The Office is hereby authorized to charge Deposit Account No. 23-3050 for any fee 
that may be due. The Commissioner is hereby requested to grant an extension of time for the 
appropriate length of time, should one be necessary, in connection with this filing or any 
future filing submitted to the U.S. Patent and Trademark Office in the above-identified 
application during the pendency of this application. 



Serial No.: 09/812,634 
Filing Date: March 20, 2001 



Group Art Unit: 2135 



Examiner: Beemnet W. Dada 



Sir: 
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I. STATUS OF CLAIMS 

A. Total Number of Claims in Application 

There are seventy-eight (78) claims pending in this application. 

B. Current Status of Claims 

Claims 1 through 78 are pending. Claims 1 through 78 stand rejected. 

C. Claims On Appeal 

Claims 1 through 78 are on appeal. 
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II. GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 

Whether the rejection of claims 1, 3-10, 12-20, 22-29, 31-38, 40-49, 51-59, 61-69 and 
71-78 under 35 U.S.C. § 103(a) as allegedly being unpatentable over Wood (US Patent No. 
6,668,322 Bl) in view of Zhao (US Patent 6,035,404) is proper. 

Whether the rejection of claims 2, 11,21, 30, 39, 50, 60 and 70 as being unpatentable 
over Wood in view of Zhao and Gupta (US Patent No. 6,226,752) is proper. 
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III. ARGUMENT 

Appellant respectfully submits that the Examiner's Answer fails to establish that all of 
the recited claim language is taught by the cited references. Accordingly, the Examiner has 
failed to establish a prima facie case of obviousness under 35 U.S.C. § 103(a). 

A. Background Of The Disclosed Embodiments 

In the patent specification, Appellant notes several features of existing systems: 

The stateless s nature of Hyper-Text Transfer Protocol 
(HTTP) is a disadvantage of any web application that runs on a 
server computer connected to a network and which uses HTTP 
to communicate with client web browsers. This is because the 
HTTP protocol is generally a stateless request/response 
protocol. That is, for every request generated by a user, the 
web application provides a response which typically includes 
one or more variables used by the application to identify the 
user and/or the session . In order to accomplish user and/or 
session management, these variables are returned with a 
subsequent request by the user. Without that, the HTTP 
protocol does not inform the server whether a series of 
consecutive requests are coming from the same web browser 
and/or user or different web browsers and/or users. 

For any web application which uses HTTP protocol to 
communicate with a web browser, it is very important to 
ascertain whether consecutive requests come from the same 
web browser and/or user. To enable session as well as user 
management, prior web applications were designed to send one 
or more cookies as part of an initial response to a web browser. 
In turn, a web browser was required to return one or more 
cookies as part of the subsequent request. 

[B]oth software libraries and session objects have also 
been used to enable web applications to manage different users 
and/or sessions. The first approach provides two variables to a 
web application for each request to identify the session and 
user . The web application can then use either hash tables in 
memory, files on a file system or tables in a database system to 
keep the application states associated with each session and 
user. 
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In contrast to these existing methods wherein multiple variables are used to identify 
the session and user, Appellant's claim a method for performing user and session 
management comprising "receiving a first request from a user for an application instance, the 
request including a single identifier used to identify both a session and a user for all user 
requests without further user and session application variables ." 

B. The Claim Language 

Representative claim 1 recites: 

1 . A method for performing user and session management 
over a computer network, comprising: 

receiving a first request from a user for an 
application instance, the request including a single identifier 
used to identify both a session and a user for all user requests 
without further user and session application variables ; and 

transmitting an application instance response to the user 
based on stored user and session system information. 



C. The References Do Not Teach The Recited Claim Language 

The Examiner's Answer attempts to read the cited references on selected portions of 
the application specification. (See Answer, pp. 19-20). 1 Appellants respectfully submit that 
the Examiner's comparisons of the cited references to the application specification are not 
relevant. Rather, the appropriate analysis is that relating to the actual claim language 
relative to the cited references. The combinations recited in the claims are not taught or 
suggested by the cited references. 

In previous communications relating to the present application, including the Final 
Office Action issued May 31, 2006, the Examiner has acknowledged that Wood (U.S. Patent 
6,668,322) "is silent on a single identifier used to identify both a session and a user." Indeed, 

1 For purposes of clarifying ambiguity, we note that one of the quotes of the application specification that 
appears in the Examiner's Answer does not comprise all of the relevant language. In particular, the quote from 
page 13, lines 21 through 24 of the application (referenced on page 20 of the Answer) reads in its entirety as 
follows: "if authentication is successful, the runtime environment returns a redirection response to the original 
request URL together with a single cookie (also referred to herein as the JLVSession cookie, which may contain 
a static unchanging value) that includes a random number generated by the central server 18 via random 
number generator 21 for uniquely identifying the user and the session (step 407)." (emphasis added). 
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at page 3 of the Answer, the Examiner again concedes this point. Nevertheless, in the 
Response to Argument section of the Answer, the Examiner now alleges "Wood teaches a 
session cookie, that identifies a user (session ID & principal Id, see figure 4 session 
credentials 420 and session cookie 430) and that also identifies a session (session Id & Date 
creation /expiration time, see figure 4 session credentials 420 and session cookie 430)." 
(Answer, p. 20). It is respectfully submitted that, in fact, Wood teaches a system of the type 
that Applicants sought to improve upon. In particular, Wood teaches using two separate 
identifiers, "session id" and "principal id," to identify a session and a user. (Wood, col. 8, 11. 
9-25). Wood also describes that there are additional user session and application variables, 
namely, "a trust level, group ids, a creation time, and expiration time." In contrast, claim 1 
recites "the request including a single identifier used to identify both a session and a user 
for all user requests without further user and session application variables ." Not only 
does Wood not teach "the request including a single identifier," but it also fails to teach 
"without further user and session application variables." It is respectfully submitted that the 
Examiner's assertion that Wood teaches "the request including a single identifier for all user 
requests without further user and session application variables" is not supported by the 
disclosure. 

In response to Appellant' s Appeal Brief in which it was illustrated that Zhao likewise 
fails to teach "the request including a single identifier used to identify both a session and a 
user for all user requests without further user and session application variables " the 
Answer now asserts that "Examiner used Zhao's reference to show the teachings of a single 
identifier that is used to identify both a user and a session (i.e. session ID, stored in a database 
lookup table with other user and session information . . .)" (See Answer, p. 21). Thus, the 
Anwer now concedes that similar to Wood, Zhao also does not teach or suggest "the request 
including a single identifier . . . for all user requests without further user and session 
application variables . ' ' Accordingly, the Examiner has failed to illustrate that the recited 
claim language existed anywhere in the prior art. 

Even assuming that the Examiner had met its burden to show that Wood or Zhao 
taught "the request including a single identifier . . . for all user requests without further 
user and session application variables '" (which it has not), Zhao does not teach "a single 
identifier that is used to identify both a user and a session" as alleged. (See Answer, p. 21). 
The session ID taught by Zhao is not a single identifier used to identify both a user and a 
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session. Figure 6 and the referenced sections of Zhao disclose a state lookup table 24. 
According to Zhao, "[w]hen a user attempts to log on, the state lookup table is used for 
various functions, such as recording session ID's, active users, and determining the status of 
logins already in progress." (Zhao, Col. 5, 11. 40-43). Zhao further explains that "each 
session, which is established after a user login, has an entry created in the table. A session ID 
48 is generated dynamically for a session." (Zhao, Col. 5, 11. 47-50). "The internal user ID 
(IUID) for the session is also entered into the state lookup table. The IUID is obtained from 
the user profile data in the same manner as the user mask." (Zhao, Col. 5, 11. 54-56). "Both 
are obtained when the user accomplishes the normal login procedure, such as entering his 
own user ID and password successfully." (Zhao, Col. 5, 11. 56-59). 

Thus, Zhao teaches receiving user ID's and passwords. Zhao teaches that the session 
ID, which is relied upon to support the rejection, is not received in a user request. Rather, 
Zhao teaches that the session ID is generated and maintained internally in the state lookup 
table. 

Furthermore, Zhao does not teach that the session ID identifies both a session and a 
user. To the contrary, Zhao discloses in the state lookup table 24 of Figure 6, that each 
session ID is stored in relation to an internal user ID. It is entirely possible that the session 
ID's taught by Zhao could be repeated between users. For example, a session ID 001001 
could be associated with user interface ID 1000, but may also be associated with internal user 
interface ID 1001. 

Therefore, Wood and Zhao, even in combination, do not disclose or suggest "the 
request including a single identifier used to identify both a session and a user for all user 
requests without further user and session application variables ." 

Moreover, even assuming that Wood and Zhao could possibly be arranged to result in 
the recited claim language (which they can not), one of ordinary skill would not be motivated 
to make such a combination. The Examiner's Answer asserts that "[o]ne of ordinary skill in 
the art at the time of applicant' s invention could have been motivated to employ the teachings 
of Zhao with the system of Wood in order to properly permit access to system applications 
thereby enhancing security of the system." (Answer, p. 23). Appellant respectfully disagrees. 
The systems and methods disclosed by Wood already "permit access to system applications." 
The motivation to "properly permit access to system applications" had been satisfied. 
Therefore, because the need to permit access to system applications had already been 
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satisfied, even if it were possible to do so, one skilled in the art would have no motivation to 
combine Wood with Zhao to arrive at the claimed combination. 

Indeed, Wood actually teaches away from combining to form the recited 
combination. At column 8, lines 9-25, Wood describes using two separate identifiers within 
a session to identify the session and the user. In particular, Wood teaches using "session id" 
and "principal id." Also, Wood describes that there are additional user session and 
application variables, namely, "a trust level, group ids, a creation time, and expiration time." 
In Wood, the trust level is associated with the unique principal id and "serves as a basis for 
evaluating whether a principal associated with the session credentials has been authenticated 
to a sufficient level. . ." (emphasis added) (Col. 8, lines 26-30). If the same id were used for 
the session and user, it would not be possible to evaluate user authentication using the trust 
level, as required by Wood. Modifying Wood to include the "single identifier" and not a trust 
level would render Wood unsatisfactory for this intended purpose. Accordingly, not only is 
there not a motivation to combine Wood with Zhao, but Wood actually teaches away from a 
combination such as that recited in claim 1 . 

D. Conclusion 

Therefore, because neither Wood nor Zhao teach all of the recited claim language, the 
references cannot be combined to form the recited combination of claim 1 and all claims 
depending therefrom. See M.P.E.P. § 2143.03. Furthermore, even if Wood or Zhao taught 
the recited language of the claims, there is no motivation to combine the references to form 
the recited combination. For similar reasons, independent claims 7, 8, 9, 10, 17, 18, 19, 20, 
26, 27, 28, 29, 35, 36, 38, 44, 45, 46, 47, 55, 56, 57, 58, 65, 66, 67, 68, 75, and 77 , and all 
claims depending therefrom are patentable over the cited references. Withdrawal of the 
rejections under 35 U.S.C. § 103(a) is respectfully requested. 
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Applicant respectfully submits that the rejection of claims under 35 U.S.C. § 103(a) 
was improper. For the all of the foregoing reasons, Applicant respectfully requests that the 
Board reverse the rejections. 



Woodcock Washburn LLP 
Cira Centre 

2929 Arch Street, 12th Floor 
Philadelphia, PA 19104-2891 
Telephone: (215) 568-3100 
Facsimile: (215) 568-3439 



Date: February 13, 2008 



/John E. McGlynn/ 
John E. McGlynn 
Registration No. 42,863 
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